Deciphering The Legitimacy of an Email: Sender and Receiver

Cybercriminals love email not only because it can be used to easily manipulate potential victims, but because it is also very easy to spoof.  Cybercriminals will set up fake email accounts and corresponding addresses in order to make the message appear to be legitimate.  Spoofed emails are difficult to identify without a careful examination of email message. Specifically the email “header.”

Each email message contains two “headers.”  The first is the visible header, which one can see at the top of any email message. The visible header contains the From,  To,  Date,  CC,  and Subject lines. We see visible headers everyday but never pay much attention to them. Spoofing is so easy that it does’t take a cybercriminal to manipulate  the message header to change the sender’s identify so an email looks like it is coming from someone else.

The second header is called the technical header and which I will discuss in my next post.

One way to begin deciphering the legitimacy an email is by reviewing the visible email header, starting the From: and  To: fields.

From: The Sender 

  • Do you recognize the sender’s email address? Carefully check the address since a bad guy can spoof an address similar to one you may be used to seeing. Check how the name is spelled since the address could contain one dropped or have additional characters.
  • Does the email appear to be sent from someone inside the organization but the subject and content unusual in some way? For example, a manager asking you to buy gift cards when they never asked you to do that before no do you have the authority to do so.
  • Does the sender’s email address look familiar but actually from a different domain then you are used to seeing? For example instead of Your_Boss@Your.Institution the messages comes as Your_Boss@yahoo.com.
  • Do you have no relationship with nor have had any past communications with the sender? These email cold calls may simply be “legitimate  SPAM” but may be nefarious in intent.
  • Is the message from someone you haven’t recently communicated with?
  • Is the message from someone who is a friend of a friend that you may know by name but never communicated with? Cybercriminals will often hack email addresses books and harvest such names.

To: The Recipient

Cybercriminals will send their email messages to a group of people in an attempt to get at least one to take the bait.

  • Is your address a CC on an email sent to one or more recipients you are unfamiliar with? If you don’t recognize the other recipients the criminal may have harvested an email address book from someone on which your name appears. Instead of sending individual emails they do an email blast.
  • Is there any pattern to the other the recipients such as all names starting with the same letter?

If there is any question about an email or a specific request pick up the phone and calling the person you think sent the message to confirm its legitimacy.

Deciphering The Legitimacy of an Email: The Message Header

Cybercriminals love email.  They love email not only because it can be used to manipulate potential victims but also because it is also very easy to “spoof.” Simply put, a spoofed email is one in which the address in the From field is not that of the actual sender. However, how often do we just scan our our email messages for specific names or subjects and just assume they are legitimate? Every.Single.Day. This is why the bad guys love email.

Identifying a spoofed email requires the careful examination of the  message, starting with the email “header.” Before we get into how to  examine a header it is important to understand how an email gets transmitted.

After you construct an email message and hit Send your email program (e.g. Gmail, Outlook) uploads the message to a SMTP (Simple Mail Transport Protocol) server, a computer that begins the process of transmitting the message to the intended recipient. Your message is the then relayed from SMTP server to SMTP server across the Internet to its final destination domain (e.g. gmail.com) .

When your message arrives at it’s destination domain it is stored in the recipient’s mailbox at an IMAP (Internet Message Access Protocol) or POP (Post Office Protocol ) server. This email server provides a temporary in-box where the message waits until it is fetched by an email program.

The information contained in the email header provides the details on where the message is coming from, and where it is going to, so all the servers can assist in the routing. Every email message contains two headers. The first is the visible header, which one sees at the top of any email message and contains the From,  To,  Date,  CC,  and Subject lines.

The second email header is called the technical header. The technical header is almost always hidden from view but can take a bit of digging in your email client to figure out how to make it visible. The information included in the technical header is all the – you guessed it – technical details required for routing of an email message.

Over the next few posts I will discuss details of the visible header and what to look for in the header to help decipher the legitimacy of an email. I will also discuss the technical header and how it is used by servers and SPAM filters to weed out illegitimate messages.

Deciphering The Legitimacy of an Email

Cybercriminals utilize a wide variety of tools and tactics. By far the most popular tool one is the use of email. Criminals like to use email in part since it is very easy to spoof an email and email address.  There are even free sites that let you send one-off emails using a spoofed or custom disposable email addresses.

However, much more importantly for the cybercriminal it is even easier to get the recipient to believe it is legitimate.

There are ways to help to decipher an email since most of the email tactics used by cybercriminals do leave traces that help in determining if the email has been spoofed. To uncover these traces one needs take some time to break down the message.

The basic email header contains information such as From, To, Date and Subject and the full header will contain detailed information about where the email came from and how it was routed. The body of the email and attachments can also help to provide additional traces that help to determine the email’s legitimacy.

Over the next series of posts I will be breaking down the content of an email to help to decipher the legitimacy.

Social Engineering and Cybercrime

At one time the name Kevin Mitnick was synonymous with the term “hacker.” In his 2002 book, The Art of Deception, Mitnick claims he did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security. Instead, he compromised computers solely by using passwords and codes that he gained using strategies to get people to unwittingly divulge information, or file-less attacks. In 2017, 77% of US businesses were compromised due to attacks and exploits which similarly do not involve the installation of malicious software but also through file-less attacks.

Social engineering is an act of psychological manipulation of an individual into performing an action or divulging confidential information. Cybercriminals leverage social engineering by stalking individuals in the social world and manipulate somewhat predictable levels of trust and gullibility [1].  The techniques used by cybercriminals are based on specific cognitive biases attributes of human decision-making. These biases are exploited in various combinations in the creation of almost all attack techniques. [2]

Cybercriminals use social engineering tactics because it can be easier to exploit an individual’s natural inclination to be trusting than to spend time building software tools to break through firewalls and system security. In short, it is much easier for a cybercriminal to get someone into giving up their password than it is to try and hack their password. By crawling though social information shared by the target in online profiles and social media posts the cybercriminals can craft a custom strategy to manipulate them into divulging confidential information or even into carrying out their malicious attacks through influence and persuasion.

 

Resources:

[1] Bosworth, Seymour, and Michel E. Kabay, eds. Computer security handbook. John Wiley & Sons, 2002. Chapter 19 “Social Engineering and Low-Tech Attacks” Karthik Raman, Susan Baumes, Kevin Beets, and Carl Ness.https://onlinelibrary.wiley.com/doi/abs/10.1002/9781118851678.ch19

[2] The Human Factors of Cyber Network Defense Robert S. Gutzwiller1 , Sunny Fugate1 , Benjamin D. Sawyer2 , & P. A. Hancock2 1 Space and Naval Warfare Systems Center Pacific 2 University of Central Florida 2015, Pages 113-122, https://doi.org/10.1016/j.jisa.2014.09.005.